As suggested in the aforementioned paragraph, depending on the developer, an entity deployed IDS can have a variety of components and features. However, IDS functionality commonly includes sensors for detecting data, analyzers for evaluating data, panels for monitoring activities as well as user-interfaces for manipulating configuration settings. Collected IDS items can be in the form of packets, system audit records, computed hash values as well as other data formats. Procedurally, analyzers receive input from sensors and determine intrusive activity.
The misuse detection model is based on the hypothesis that known exploits of vulnerabilities can be described by attack signatures or patterns, therefore IT attacks can be revealed through identifiable patterns. Malicious misuse encompasses reading, modification, and destruction of data. Misuse detection systems normally compare gathered information to large databases of attack signatures for internal perpetrator identification. There is typically a high-degree of certainty that signature-based intrusion detection models will recognize exact attack pattern replications; however slight variations in a data-based attack pattern may escape discovery.
Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.